[00:26.750 --> 00:28.430]  Hey, AJ.
[00:28.950 --> 00:31.310]  Hello. How are you?
[00:33.010 --> 00:34.090]  Hi.
[00:34.090 --> 00:35.430]  I'm doing good.
[00:39.530 --> 00:43.050]  Alright, it looks like our presenters are here.
[00:43.570 --> 00:47.850]  It sounds like there is a slight echo somewhere.
[00:51.830 --> 00:53.030]  Ah, no worries.
[00:53.590 --> 00:58.970]  How about now? Let's see.
[00:58.970 --> 01:00.490]  Yep, it seems to be gone.
[01:00.490 --> 01:01.490]  Let me...
[01:05.190 --> 01:07.670]  I like your t-shirt, Jason.
[01:08.550 --> 01:10.890]  Yes. I like it.
[01:11.330 --> 01:14.770]  So, is it backwards for you or forwards?
[01:15.930 --> 01:19.890]  It's forwards. I'm just going to go straight through. It looks like it's mirrored.
[01:19.990 --> 01:24.370]  Yeah, on mine, I get the mirror image.
[01:24.770 --> 01:25.670]  Nice.
[01:29.690 --> 01:35.630]  Alright, let me get your all slides queued up really quick, and we will go from there.
[01:35.850 --> 01:39.010]  We are almost at the hour, so let me share my screen.
[01:40.850 --> 01:44.490]  Let's share the screen. Let us share the slides.
[01:44.490 --> 01:47.950]  So, I'm going to introduce you all in a few. Let me go from there.
[01:48.370 --> 01:50.270]  Alright, can you all see the slides?
[01:50.790 --> 01:51.930]  Let's see.
[01:52.830 --> 01:53.710]  Yep.
[01:54.950 --> 01:56.270]  I can see.
[01:59.090 --> 02:00.050]  Okay, that's perfect.
[02:00.050 --> 02:01.190]  I'm getting...
[02:02.970 --> 02:05.010]  Okay, now I see it.
[02:05.510 --> 02:08.890]  Perfect, perfect. And we will commence just shortly.
[02:09.370 --> 02:13.310]  Give folks a few more minutes to pop on. It looks like...
[02:13.310 --> 02:14.170]  Sure.
[02:20.340 --> 02:24.440]  There's about nine folks on the Twitch chat.
[02:25.220 --> 02:30.580]  We have another maybe ten or so on the voice chat, so...
[02:31.940 --> 02:33.800]  Alright, let us commence.
[02:33.800 --> 02:35.800]  So, hi everybody.
[02:35.940 --> 02:39.220]  I'd like to welcome our next set of speakers.
[02:39.220 --> 02:42.940]  We have Art Jason Kronk and A.J. Gmusel.
[02:42.940 --> 02:46.740]  They're going to be talking about the models of privacy norms.
[02:46.740 --> 02:48.880]  So, a little bit about Jason.
[02:48.880 --> 02:53.580]  Jason is a privacy consultant with the Interprivacy Consulting Group,
[02:53.680 --> 02:55.740]  a boutique privacy consulting firm,
[02:55.740 --> 03:01.920]  where his current focus is on helping companies overcome the socio-technical challenges of privacy.
[03:02.160 --> 03:04.900]  He is a certified information privacy professional,
[03:05.260 --> 03:07.460]  a certified information privacy manager,
[03:07.600 --> 03:10.040]  a certified information privacy technologist,
[03:10.040 --> 03:12.660]  and a floor member of the IAPP faculty,
[03:12.820 --> 03:15.060]  a licensed attorney in the United States,
[03:15.060 --> 03:16.640]  an author, blogger, speaker,
[03:16.640 --> 03:20.860]  and is a passionate advocate for understanding privacy.
[03:20.860 --> 03:23.320]  He writes regularly for both his own blog and others,
[03:23.320 --> 03:26.980]  and he has been a guest speaker at his alma mater, FSU College of Law,
[03:26.980 --> 03:32.280]  and he frequently speaks at IAPP events and tweets at Privacy Maverick.
[03:33.180 --> 03:34.200]  Welcome, Jason.
[03:34.200 --> 03:39.720]  And then our next speaker, who is also in the talk, is A.J. Gmusel.
[03:39.740 --> 03:44.500]  So, A.J. is an editor, legal researcher, lecturer, and licensed attorney.
[03:44.500 --> 03:48.680]  Her interests are privacy, privacy by design, technology law,
[03:48.680 --> 03:51.300]  contract law, and cybersecurity law.
[03:51.300 --> 03:55.420]  She received her LL.M. from the University of Illinois College of Law in 2019,
[03:55.420 --> 03:58.620]  where she focused on intellectual property and technology law.
[03:58.620 --> 04:05.660]  After her graduation, she started her research for Privacy Wiki at privacy.wiki,
[04:05.660 --> 04:08.040]  and now she's a chief legal editor at the wiki,
[04:08.040 --> 04:12.640]  with Professor Faye Jones and R. Jason Gronk of Pender Privacy,
[04:12.640 --> 04:14.540]  one of our other speakers.
[04:14.800 --> 04:17.020]  She's been working with Jason for over a year
[04:17.020 --> 04:20.000]  as a legal editor at Privacy Wiki.
[04:20.140 --> 04:23.460]  She remains at her work and researches in the wiki
[04:23.460 --> 04:25.660]  at the Interprivacy Consulting Group.
[04:25.660 --> 04:29.800]  She's also a visiting researcher at the Turkish Personal Data Protection Authority,
[04:29.800 --> 04:34.580]  and she teaches the course of health and privacy law at a Turkish university.
[04:34.840 --> 04:40.060]  Thank you, everybody, for being here as well, our Ethics Village attendees.
[04:40.060 --> 04:45.420]  I'd like to say welcome to our speakers, and without further ado, we will go forward.
[04:47.220 --> 04:51.480]  Thanks, Steve, for the introduction, and thanks, everyone, for taking time and joining us today.
[04:51.480 --> 04:53.920]  Hope everyone is healthy and safe.
[05:03.570 --> 05:06.770]  I can hear the Jason's voice, which is weird.
[05:08.610 --> 05:09.930]  Can't hear me?
[05:10.150 --> 05:12.670]  Yeah, I can hear you right now.
[05:14.510 --> 05:15.470]  Okay.
[05:16.610 --> 05:19.090]  So, you know, what is privacy?
[05:19.090 --> 05:20.990]  I often get this question.
[05:21.090 --> 05:22.450]  You may get this question.
[05:22.450 --> 05:24.070]  You may have this question.
[05:24.070 --> 05:29.090]  Oftentimes, you know, we run into situations where, you know, we talk about privacy,
[05:29.090 --> 05:35.570]  and it seems very ambiguous, ethereal, hard to pinpoint.
[05:35.570 --> 05:41.530]  We know it when we feel it, just like the old U.S. Supreme Court pornography case.
[05:41.530 --> 05:43.110]  I know it when I see it.
[05:43.270 --> 05:52.210]  But, you know, it's kind of hard to define, you know, say in a simple sentence or easily state.
[05:53.730 --> 06:04.610]  You know, I run into this situation all the time when people, you know, ask me what I do or ask me, you know, to try to help them.
[06:04.610 --> 06:08.690]  You know, companies want to build more privacy into their products.
[06:08.690 --> 06:10.210]  But what does that mean?
[06:10.210 --> 06:12.850]  What do we mean by privacy?
[06:13.690 --> 06:20.590]  AJ, I'm assuming, you know, you have the same questions or people have asked you the questions as well.
[06:20.590 --> 06:25.410]  Yeah, privacy is a complex social norm that has been tried to define for over decades.
[06:25.410 --> 06:31.130]  So as you can mention that privacy is very ambiguous and broad and depends on individuals,
[06:31.130 --> 06:40.930]  their psychology, responsibilities, cultural effects, sociological backgrounds, personal choices or preferences and experience and so on.
[06:40.930 --> 06:48.430]  Maybe in a chat screen, someone has a description of privacy.
[06:50.090 --> 06:55.270]  If you have like description of privacy by your own, just think about what privacy is for you.
[06:55.270 --> 06:58.650]  And do you care about that? Do you care about others' privacy?
[06:58.650 --> 07:02.490]  Or is it ethical for you to violate someone's privacy?
[07:03.930 --> 07:11.930]  That would be great to share your thoughts in a chat screen if you have one.
[07:14.980 --> 07:17.420]  What is your own privacy?
[07:22.890 --> 07:29.390]  I think that there is no real answers for privacy right now.
[07:31.780 --> 07:33.420]  Let me look again.
[07:39.960 --> 07:44.680]  Okay, what is privacy for you then, Jason? Like how do you describe it?
[07:52.240 --> 07:57.640]  Jason will be back in a few. It seems his chat has crashed or Discord has gone.
[07:57.640 --> 07:59.620]  So he will be back in a second.
[08:00.360 --> 08:06.960]  And if anybody has any questions, please feel free to field them to AJ over in the chat.
[08:06.960 --> 08:16.780]  If any of you all have any ideas on what privacy means to you, please post it in the chat as we wait for Jason to come back on.
[08:18.680 --> 08:33.720]  Okay, while we're waiting for Jason, I just wanted to talk about what we are going to talk in models of privacy norms under this talk.
[08:34.140 --> 08:42.140]  Jason and I are going to talk and discuss about models of privacy norms and how to use them in organizations, businesses, or daily lives.
[08:42.140 --> 08:50.820]  We're questioning the definition of privacy and diving in solo taxonomy and looking to Nest privacy framework.
[08:50.840 --> 08:56.240]  Lastly, we also talk about our privacy wiki. Again, thanks for joining us.
[08:56.240 --> 09:00.900]  But I think that we will be waiting for Jason.
[09:07.280 --> 09:13.800]  Just some technical difficulties, folks. Unfortunately, Discord is a little bit glitchy sometimes.
[09:13.800 --> 09:24.140]  I think it crashed the thing twice yesterday. So while we wait for Jason, if anybody has any idea of what privacy means to them, please post in the chat.
[09:24.140 --> 09:33.880]  I think for me, AJ, kind of moving a little bit forward, especially nowadays with social media and how people are constantly taking our data.
[09:33.880 --> 09:37.800]  Oh, it looks like Jason is back. There we are.
[09:37.800 --> 09:39.280]  Thanks for the definition.
[09:40.080 --> 09:44.420]  Definitely, definitely. Let's see. Jason, can you hear us?
[09:49.480 --> 09:52.320]  Let's wait a few seconds. Let's see while he goes live.
[09:55.550 --> 10:02.190]  So to finish my thought on that, you know, especially nowadays with people are being sold as a service.
[10:02.190 --> 10:07.350]  So all of your data that is essentially being sold, you know, as a product.
[10:07.350 --> 10:16.970]  So, you know, when everything is free, you are the product when it comes to Facebook, Google, when it comes to all the social media applications, Reddit and what have you.
[10:16.970 --> 10:24.710]  I think privacy to me means can I have control over that, that data, my information, all my posts.
[10:24.710 --> 10:32.670]  For all of you that have used, you know, social networking, online dating apps, online health, body checkers, Fitbits and what have you.
[10:32.670 --> 10:37.130]  Where is your data going? That's a question. And do you even own it?
[10:37.570 --> 10:42.630]  Because technically you have sold it to a company by using their application.
[10:42.630 --> 10:51.570]  So to me, that is what privacy is, I guess, in the 21st century, you know, in current times, what it means to me, I would say.
[10:52.730 --> 10:58.070]  And let's see if we can hear Jason really quick. I'll be right back, folks.
[11:49.250 --> 11:55.610]  So, I guess while we wait for Jason, let's see if we can double check.
[11:56.130 --> 12:04.670]  For those of you, can you all hear us clearly on the Ethics Talks voice channel? Just to double check.
[12:04.670 --> 12:08.390]  Please give us a shout out in the general text, just to double check and see.
[13:17.690 --> 13:24.850]  So, folks, give us one quick second. It looks like our speaker's computer probably decided to randomly reset itself when it shouldn't.
[13:24.850 --> 13:31.130]  Thanks, Microsoft, wherever you are. Billy G and what's-his-face, Palmer.
[13:31.230 --> 13:40.130]  Anyhoo, while we wait for our speaker to come back, I will put the slides up temporarily and we will continue forward.
[13:40.130 --> 13:50.570]  Again, this talk will continue just in a little while as our speaker, RJ Sincron, comes back from the form-dreaded Microsoft crashing death and doom.
[13:51.050 --> 13:54.790]  And thank you all for your patience. We will commence just shortly.
[13:54.790 --> 13:57.270]  And yeah, hang in there.
[15:54.780 --> 16:05.180]  Alright, folks, while we're waiting, does anybody have any ideas or any ideas when it comes to privacy, what it means to them?
[16:05.540 --> 16:15.480]  Please post it into the general chat. Earlier I was talking with AJ a little bit about how a lot of our, I guess, privacy,
[16:16.600 --> 16:20.300]  a lot of our privacy is kind of being taken nowadays with the idea of social media.
[16:20.840 --> 16:28.900]  Ah, here we go. So we got something from our very own The Fixer, one of our Ethics Village staff.
[16:28.900 --> 16:35.740]  So The Fixer says, for those of you that are on Twitch and other non-discord things,
[16:35.740 --> 16:43.100]  privacy within an application on the internet is the ability to do what I wish to do without attribution when I am not authenticated.
[16:43.100 --> 16:49.240]  When I am authenticated, then my activity should only be visible with whom I should choose to make visible without a warrant.
[16:49.240 --> 16:54.220]  Or actually, no, I'm sorry, that was from a Twitch comment from Denny Ma.
[16:54.220 --> 16:57.600]  So thank you, The Fixer, for relaying that from there.
[16:58.020 --> 17:02.800]  Let us double check and see now if our speakers are back.
[17:03.020 --> 17:04.320]  Hi, Jason, are you with us?
[17:04.320 --> 17:05.940]  Can you hear me?
[17:05.940 --> 17:06.280]  Yeah.
[17:06.280 --> 17:07.900]  Yeah, I hear you very well.
[17:11.850 --> 17:17.410]  A windowed blue screen in like years and years.
[17:17.410 --> 17:19.670]  Now I've pulled up Discord.
[17:19.670 --> 17:24.350]  It won't give me video, and it says your Discord installation is corrupt.
[17:24.970 --> 17:27.690]  But if you can hear me, that's good.
[17:27.690 --> 17:32.190]  I don't see the... are you still sharing the screen or no?
[17:32.990 --> 17:34.950]  Yes, I am currently sharing the screens.
[17:34.950 --> 17:38.650]  I am on the very first slide, Models of Privacy Norms.
[17:38.670 --> 17:43.670]  Jason, I was going to say you can also join our Twitch stream if you want to mute it.
[17:43.950 --> 17:45.610]  Oh, that was from Walt Williams.
[17:45.610 --> 17:49.330]  If you want to join, let me post that really quick.
[17:49.610 --> 17:53.470]  It's twitch.tv forward slash Ethics Village.
[17:53.470 --> 17:56.350]  You'll be able to see the slides as I go through them.
[17:57.090 --> 17:59.570]  Yeah, let me do that.
[18:02.370 --> 18:04.750]  And Dr. Wardog, you are correct.
[18:04.750 --> 18:09.970]  You can use Gen 2 and never update anything, but then you'll be stuck in cyclic dependency hell
[18:09.970 --> 18:13.910]  when you forget to update your box because Gen 2 likes to be bleeding edge.
[18:13.910 --> 18:15.590]  Although, yes, use Gen 2.
[18:15.590 --> 18:18.070]  If you want to heat up your apartment in the winter.
[18:32.040 --> 18:35.500]  Okay, we're back.
[18:35.500 --> 18:37.660]  So I see the original first screen.
[18:37.660 --> 18:38.780]  Is that correct?
[18:38.780 --> 18:39.660]  That is correct.
[18:39.660 --> 18:40.520]  Awesome.
[18:40.760 --> 18:43.340]  We can start if you'd like.
[18:43.340 --> 18:45.140]  I'm going to mute myself.
[18:45.140 --> 18:47.000]  And yeah, we'll start again.
[18:47.360 --> 18:52.120]  Everybody, welcome our speakers, R. Jason Kronk and A.J. Gumusel.
[18:52.140 --> 18:55.800]  I will stop speaking now and I'll let you all commence.
[18:58.240 --> 19:01.120]  So, okay, go ahead and advance to the next slide.
[19:05.540 --> 19:15.820]  So we often get the question of, and I'm going to repeat, and hopefully I don't know where everybody left off, but this may be a repeat for some people.
[19:15.920 --> 19:19.460]  But, you know, I often get the question, what is privacy?
[19:20.480 --> 19:24.700]  You know, it tends to be a very subjective topic.
[19:24.700 --> 19:29.860]  You know, everybody has their own opinion of what constitutes privacy.
[19:30.100 --> 19:32.960]  Everybody has a hard time defining it.
[19:33.140 --> 19:39.420]  And in defining it, it makes it really hard to manage it in a company.
[19:39.420 --> 19:45.020]  You know, a lot of people, I gave an example just a moment ago, but I'll say it again.
[19:45.180 --> 19:51.500]  Similar to the Supreme Court case around pornography, I know it when I see it.
[19:51.500 --> 20:00.240]  When I see a privacy violation or I feel a privacy violation, I know it's a privacy violation, but I have a hard time defining it.
[20:00.260 --> 20:03.100]  So, AJ, you were kind of expanding on that.
[20:03.100 --> 20:09.080]  Do you want to repeat what you were saying before my technical glitch?
[20:10.000 --> 20:18.300]  Well, I was saying that privacy, as you said, is a complex social norm that has been tried to define for over decades.
[20:18.300 --> 20:23.040]  However, there's no specific definitions or description for privacy.
[20:23.300 --> 20:27.100]  And you told, like, privacy is very ambiguous and broad.
[20:27.100 --> 20:34.240]  So, it depends on individual social backgrounds or preferences or personal choices.
[20:34.300 --> 20:39.940]  And there are tons of, like, and other, like, definitions from the chat.
[20:39.940 --> 20:43.780]  I saw Anna's definitions for privacy.
[20:44.600 --> 20:48.320]  Anna says that everybody has different privacy thresholds.
[20:48.320 --> 20:51.800]  And that's why, to me, it's important that we default to privacy.
[20:51.800 --> 20:56.820]  Any data sharing should only happen as a result of personal choice.
[20:57.300 --> 20:59.140]  That was good.
[21:00.720 --> 21:04.000]  And SushiPens agrees that.
[21:04.000 --> 21:11.600]  And it's sad to see that the norm on a lot of platforms is to opt into privacy instead of opt out.
[21:12.600 --> 21:14.940]  The user says, SushiPens says.
[21:15.360 --> 21:27.060]  And another comment on Twitch was privacy is the right to own data about yourself and not have others use that data without your express permission.
[21:27.060 --> 21:35.740]  Privacy is the right to own data about yourself and not have others use that data without your express permission.
[21:35.740 --> 21:39.500]  I don't know. It's just more security in privacy.
[21:40.560 --> 21:57.940]  Well, certainly, I think a lot of people, you know, especially if they have a technical background or even a security background, you know, they tend to gravitate towards that, you know, concept of confidentiality and, you know, you know, right to control data.
[21:58.620 --> 22:08.480]  But, you know, as I hope, you know, as we get into it, we'll expand on that and talk more about, you know, different thoughts around privacy.
[22:08.480 --> 22:10.040]  Next slide.
[22:14.230 --> 22:21.310]  So I want to give a little anecdotal story.
[22:21.310 --> 22:26.990]  I was at an event two years ago, maybe a year and a half ago or so.
[22:26.990 --> 22:29.930]  It was a IAPP KnowledgeNet.
[22:29.930 --> 22:33.290]  So the IAPP is the International Association of Privacy Professionals.
[22:33.290 --> 22:35.870]  And I was at a local chapter meeting.
[22:35.870 --> 22:49.210]  And we were doing an exercise, we were being led in an exercise to consider if there was an ethical issue around a specific scenario.
[22:49.210 --> 22:58.170]  So we were given a scenario and asked to say, you know, is there an ethical issue with what's going on?
[22:58.170 --> 23:00.990]  And should we, you know, what should we do about it?
[23:00.990 --> 23:04.010]  And I was really struck.
[23:04.610 --> 23:09.170]  I, you know, we were each kind of cordoned off into tables.
[23:09.170 --> 23:12.990]  And I had about three or four or four or five other people at my table.
[23:13.270 --> 23:16.350]  And at first, I just kind of sat back and listened.
[23:16.490 --> 23:23.210]  I was really struck by the number of people who were like, oh, there's no ethical issue.
[23:23.390 --> 23:26.050]  Or, yeah, I see an ethical issue.
[23:26.050 --> 23:30.670]  They didn't really have a frame of reference.
[23:30.830 --> 23:40.930]  They were just kind of talking in a vacuum of seeing an ethical issue or not seeing an ethical issue.
[23:40.930 --> 23:57.330]  And it was really problematic from my perspective because it makes it much more difficult to deal with if you're not working from a common frame of reference in terms of what is ethical and what is unethical.
[23:57.330 --> 24:05.750]  Because when I prodded, when I asked the person who said there's no ethical issue, I was like, well, what are you measuring this against?
[24:05.750 --> 24:08.710]  What do you consider ethical and unethical?
[24:08.710 --> 24:11.330]  And he sat there and he thought for a minute.
[24:11.330 --> 24:18.270]  I'm like, what is the measuring tool by which you're deciding this is unethical or not?
[24:18.310 --> 24:20.250]  And he sat and thought for a minute.
[24:20.250 --> 24:26.510]  And he's an attorney, and I'll be forthcoming and say I'm an attorney as well.
[24:26.510 --> 24:30.070]  So I don't want to disparage all attorneys, just some of them.
[24:30.070 --> 24:41.210]  So he was like, well, yeah, I'm an attorney and they don't have a duty of confidentiality here like an attorney would.
[24:41.210 --> 24:43.070]  So there's no ethical issue.
[24:43.750 --> 24:55.350]  So that's the only measuring stick by which you determine there's an ethical issue is whether or not there's a duty of confidentiality and they breach that duty.
[24:55.350 --> 25:00.970]  So he sat and thought about it and he's like, well, maybe there's a fiduciary duty.
[25:00.970 --> 25:05.290]  You have a duty to, you know, clients to protect data.
[25:05.710 --> 25:16.510]  Again, he was very narrow minded in his thought pattern about what, you know, what is privacy or what was what was ethical in this situation.
[25:16.770 --> 25:22.850]  So I want to introduce you to two concepts in the law.
[25:22.850 --> 25:33.190]  So Latin terms, malum in se and malum prohibitum. Malum in se means evil, wrong in itself.
[25:33.390 --> 25:37.790]  We typically think of the stereotypical example here is murder.
[25:37.790 --> 25:43.810]  You know, we as a society almost universally view murder as as wrong.
[25:43.810 --> 25:50.050]  It's an evil unto itself. You don't need a law to tell you that murder is wrong.
[25:50.050 --> 25:59.010]  So then there's a concept of malum prohibitum, and this is wrong because a statute law or regulation says so.
[25:59.010 --> 26:13.110]  So if the law says that going over 55 miles an hour on this road is a violation of the law, it's only wrong because that statute set that speed limit on that road.
[26:13.110 --> 26:18.990]  Going 55 miles per hour is not wrong in and of itself.
[26:18.990 --> 26:27.890]  It's not it's not an evil unto itself. It's only wrong because a law says so in particular.
[26:28.110 --> 26:39.510]  So I would position that privacy is more in the in the realm of or violations of privacy are more in the realms of malum in se.
[26:39.510 --> 26:45.590]  In other words, you know, violating somebody's privacy is evil or wrong into itself.
[26:45.590 --> 26:52.370]  But but how do we again, how do we determine murder? Pretty obvious. OK, killing somebody, you know, taking out their life.
[26:52.370 --> 26:58.290]  But when I when I say privacy is is wrong in or violations of privacy is wrong in itself.
[26:58.530 --> 27:08.430]  And we're back to that question of what is privacy and is there an is there or can there be agreement around that?
[27:08.430 --> 27:17.310]  I think in this concept, I think complying a rule without considering and evaluating is also a concern for privacy.
[27:18.330 --> 27:22.170]  Sorry, you said compliance. Say that again?
[27:22.210 --> 27:28.710]  Complying a rule without considering and evaluating is also a concern for privacy.
[27:28.710 --> 27:39.810]  Sure, sure. Agreed. So, you know, so how do so what are the social norms to which I'm referring, you know, and how do we define them?
[27:39.810 --> 27:46.800]  And they may be different. You know, we talked about privacy being subjective, but it may be different based on different cultures,
[27:47.610 --> 27:56.770]  certainly different contexts and situations. Sorry, AJ, I know I went on a little bit of a rant there on the compliance issue.
[27:56.770 --> 28:00.370]  Do you have anything else you wanted to add here?
[28:00.670 --> 28:09.130]  Well, I just wanted to add like you're thinking you're we're talking about it depends on privacy depends upon individuals to individuals,
[28:09.130 --> 28:13.650]  but it's considering as a human rights as well. I just want to edit it.
[28:13.650 --> 28:20.030]  And while we're talking about privacy as social norm, I just wanted to remind it.
[28:20.030 --> 28:27.490]  I remember the event in 2016, you know, Mark Zuckerberg is just like leading Facebook.
[28:27.490 --> 28:34.590]  And he in 2016, he considered privacy is not a social norm in 21st century.
[28:34.590 --> 28:43.070]  But here is we're talking about privacy as a social norm, as professionals.
[28:43.070 --> 28:46.910]  And I think that it's just valuable for all humanity.
[28:46.910 --> 28:57.250]  So like we're not only thinking that privacy as a social norm, but also we should consider about a human right.
[28:57.870 --> 29:09.130]  Yeah, I would say, you know, going back to that Mark Zuckerberg quote, you know, I think, again, this is what is is makes privacy confusing is,
[29:09.130 --> 29:13.850]  you know, he was using a certain concept or definition of privacy.
[29:13.850 --> 29:17.750]  You know, if you started probing and asking him questions about that,
[29:17.750 --> 29:26.590]  he might feel that there are other things that fall within the privacy rubric that, you know, certainly are social norms.
[29:26.650 --> 29:32.570]  Clearly, he was using that for, you know, defensive purposes of Facebook's actions.
[29:32.650 --> 29:38.550]  But, you know, but again, it depends on what you mean.
[29:38.550 --> 29:49.930]  And oftentimes when somebody says privacy, they're usually talking about one aspect and not the entire spectrum of what what people might consider privacy.
[29:49.930 --> 29:50.610]  Of course.
[29:50.610 --> 29:53.710]  OK, let's go on to the next slide.
[29:54.570 --> 29:58.210]  So let's talk about models of privacy norms.
[29:58.670 --> 30:03.830]  You know, there are several models of privacy norms and we respect them.
[30:03.830 --> 30:07.370]  However, we selected the most popular and well-known models.
[30:07.370 --> 30:17.760]  They're Hartzog's Privacy Pillars, Weston's States of Privacy, Presser's Privacy Torts, Callot's Harm, Solow's Taxonomy.
[30:17.950 --> 30:24.970]  And we're going to talk about also Nissenbaum's Obfuscation, which Hartzog also discussed in his articles.
[30:25.090 --> 30:30.550]  When Hartzog and Weston defined privacy, they considered privacy values.
[30:30.550 --> 30:33.670]  Therefore, it is in white color in the left side.
[30:33.670 --> 30:43.130]  On the other hand, Presser, Callot, and Solow categorized privacy with its harms, which is why it is colored in black.
[30:43.810 --> 30:50.530]  Let's first talk about Weston and Hartzog, who defined privacy based on its values.
[30:50.530 --> 30:53.510]  Then Jason will speak about Presser, Callot, and Solow.
[30:53.510 --> 31:03.890]  And he will give an example about Solow's Taxonomy in order to illustrate what it is, what they are describing as privacy.
[31:04.130 --> 31:10.850]  L.L. Weston was a well-known privacy law professor and a legend in privacy.
[31:11.130 --> 31:21.250]  He shaped privacy law. He wrote his doctoral dissertation in the 1960s, which later got funding to turn into a book called Privacy and Freedom.
[31:21.250 --> 31:27.690]  I can quick quote his definition of privacy.
[31:27.690 --> 31:39.410]  It's like the claim of individuals, groups, or institutions determined to themselves when, how, and to what extent information about them is communicated to others.
[31:39.930 --> 31:45.090]  He pointed out privacy, either physical and psychological.
[31:45.090 --> 31:56.030]  He outlined these four states of privacy as solitude, intimacy, anonymity, and reserve, respectively.
[31:56.550 --> 32:03.830]  In its states of privacy, solitude means to be alone and free from observation by others.
[32:03.830 --> 32:06.610]  Weston was involved in the threat of freedom.
[32:06.610 --> 32:15.910]  For him, intimacy refers to being alone with a small group to the exclusion of others, such as family, and concerns close relationships.
[32:16.390 --> 32:22.970]  We can say that solitude and intimacy both involve freedom from observation of others.
[32:22.970 --> 32:32.070]  Everyone may be familiar with anonymity because everyone is just popping up the information security definitions in a chat.
[32:32.070 --> 32:39.790]  His anonymity is involving freedom from being identified by others.
[32:39.790 --> 32:44.030]  It depends on the choices available in one's environment.
[32:44.030 --> 32:50.410]  In other words, it refers to being unrecognized in a public place to be bland in the crowd.
[32:50.690 --> 32:55.350]  The last one is reserve.
[32:55.470 --> 33:00.490]  It's about freedom from disclosing information about yourself to others.
[33:00.490 --> 33:08.290]  It's not keeping information secret, but limiting communication of self to others in different ways.
[33:08.290 --> 33:12.150]  It is based on a desire to limit disclosure to others.
[33:12.150 --> 33:24.990]  So before talking about Herzog, I would also like to quote here Professor Elisa Austin's perspective to Weston's state of privacy to clarify.
[33:24.990 --> 33:31.410]  She states that in her re-reading article, like this,
[33:31.410 --> 33:38.410]  we choose a state of privacy when we choose to not share information about ourselves,
[33:38.710 --> 33:47.350]  either through shielding ourselves from observation, which refers solitude and intimacy,
[33:47.770 --> 33:54.970]  shielding ourselves from identification, which refers anonymity in Weston's state of privacy,
[33:54.970 --> 34:05.010]  or shielding ourselves from disclosure, which refers to reserve in states of privacy.
[34:05.030 --> 34:12.230]  So let's talk about Rudra Herzog values privacy with his pillars of privacy.
[34:12.230 --> 34:17.090]  He defined privacy in three pillars, obscurity, autonomy, and trust.
[34:17.090 --> 34:24.010]  We may familiar with it, but let's dive in his pillars of privacy.
[34:24.010 --> 34:29.890]  Obscurity is when information and people are hard or unlikely to be found or understood.
[34:29.890 --> 34:36.070]  People are relatively safe and rely on that risk calculus.
[34:36.070 --> 34:47.150]  It is continual presence of some facts, such as search visibility, unprotected access, identification, clarity.
[34:47.310 --> 34:50.390]  These are diminishes obscurity.
[34:50.390 --> 34:57.090]  His autonomy is defined as freedom to develop reliable and sustainable relationships of trust
[34:57.090 --> 35:00.430]  and create and maintain those zones of obscurity.
[35:00.430 --> 35:06.430]  It is like freedom from external interference or something leads us what we want or not.
[35:06.430 --> 35:14.590]  It's kind of a value, and it's kind of slows decisional interference, which Jason will talk about later on.
[35:14.590 --> 35:16.910]  But just remind it.
[35:17.890 --> 35:23.430]  And think about social media users, YouTubers, Instagrammers, or influencers.
[35:23.430 --> 35:29.750]  Maybe we don't like them, but they disclose every detail about their lives because of their followers.
[35:29.930 --> 35:33.050]  And also they're making money for that.
[35:33.250 --> 35:41.910]  We therefore say that privacy leads us solutions that helps us choose and hour us in control of our own unique lives.
[35:44.130 --> 35:47.650]  So think about this for a second.
[35:47.650 --> 35:51.950]  Privacy is right to what we want to do or not.
[35:51.950 --> 35:57.190]  So he's just literally considering privacy as a value.
[35:57.250 --> 36:03.930]  And when we think about privacy as a right to what we want to do or not, it's just a value.
[36:03.930 --> 36:09.170]  And it's just a robust value that we ever had.
[36:10.170 --> 36:14.610]  So he described autonomy as one of the values of privacy.
[36:14.710 --> 36:18.290]  And the Herzog's one of the players is also trust.
[36:18.290 --> 36:23.150]  Trust is also familiar with us.
[36:23.150 --> 36:27.430]  Trust is always a valuable thing in our lives and relationships.
[36:27.430 --> 36:35.630]  Even when you're talking with your relatives, your friends, trust is always leading your relationship with being them.
[36:35.630 --> 36:41.950]  According to Herzog, trust is willingness to become vulnerable to the actions of another.
[36:43.250 --> 36:50.210]  Think about you're okay with something, what other people behave to you in every circumstance.
[36:50.210 --> 36:53.170]  It happens in every second of our lives.
[36:53.170 --> 37:01.010]  Even when you opt in for a company's privacy policy or notice or something maybe pop out in their website.
[37:01.010 --> 37:07.650]  You're just like opting in and then you're just literally trusting that company while you're opting in.
[37:07.650 --> 37:16.430]  So Herzog is just defining privacy with his pillars of privacy.
[37:16.430 --> 37:17.750]  So Jason?
[37:18.610 --> 37:28.590]  Yeah, so AJ just went over kind of those are all things to aspire to.
[37:28.590 --> 37:32.890]  You want to give people obscurity. You want to give people autonomy.
[37:32.890 --> 37:34.710]  You want to give people trust.
[37:35.630 --> 37:42.490]  Where it's a privacy torts and cable harms are things that as a society we want to avoid.
[37:42.490 --> 37:55.870]  So Prosser was a famed law professor who wrote the primary text on torts in the United States.
[37:55.870 --> 38:00.590]  And a tort is just a wrongful act.
[38:00.590 --> 38:12.210]  And this under common law in the United States, you can sue people for violation, for impedance onto you.
[38:12.210 --> 38:21.090]  So there are four privacy related torts that Prosser defined in his seminal text.
[38:21.090 --> 38:29.770]  And these are still found in common law, though most states have adopted statutory interpretations of them.
[38:29.930 --> 38:32.450]  So false light is the first one.
[38:32.450 --> 38:37.070]  And that is publicity which puts somebody in a false light.
[38:37.210 --> 38:45.910]  So when you think of the National Enquirer, you know, describing somebody's alien baby or something,
[38:45.910 --> 38:49.870]  that would be an example of putting somebody in a false light.
[38:51.330 --> 39:00.650]  Intrusion upon seclusion or intrusion upon somebody's private affairs or solitude,
[39:00.650 --> 39:07.150]  that is essentially like prying into somebody's, you know, private life.
[39:07.150 --> 39:14.250]  You know, digging up information or finding information that really is none of your business.
[39:14.790 --> 39:18.910]  Public disclosure of embarrassing private facts.
[39:18.910 --> 39:23.330]  So it's not just disclosure of private facts.
[39:23.330 --> 39:30.930]  One of the things that makes this a little bit narrow and hard to use in a lot of times as far as like a lawsuit,
[39:30.930 --> 39:34.250]  because it has to be embarrassing private facts.
[39:34.910 --> 39:45.230]  And then appropriation is what we think of when we think somebody takes a celebrity's image and uses it for financial gain.
[39:45.230 --> 39:50.490]  And we'll talk a little bit about that in a little bit more detail in a minute.
[39:51.030 --> 39:59.570]  So Ryan Calo has come up with his objective and subjective harms.
[39:59.790 --> 40:12.530]  These are fairly broad categories, but they still kind of run the gamut of a lot of different type of activity we would consider privacy.
[40:12.530 --> 40:21.730]  So his objective harm is unanticipated or coerced use of information.
[40:22.150 --> 40:27.870]  So if I have information about you and I use it in a way you weren't expecting,
[40:28.070 --> 40:36.130]  that is an objective harm or if I coerce the use of information from you.
[40:36.130 --> 40:38.550]  AJ, were you saying something?
[40:39.710 --> 40:41.610]  Okay.
[40:41.610 --> 40:42.610]  Okay.
[40:42.610 --> 40:48.950]  And then subjective is the perception of unwanted observation.
[40:48.950 --> 41:03.470]  Now, notice the word perception there, because what Calo was suggesting is that subjective harm doesn't need to come from actually having unwanted observation.
[41:03.470 --> 41:21.470]  If I think the NSA is surveilling me, I may do things like not talk on the phone or I may change my behavior or be anxious or have anxiety about it.
[41:21.470 --> 41:31.530]  So even if I have the perception of unwanted observation, even if I just have that perception, that is in itself a harm.
[41:31.530 --> 41:36.990]  And you can see this in thinking about surveillance.
[41:36.990 --> 41:46.310]  If somebody wants to just get me convinced that I'm being surveilled, hey, by the way, I put a camera in your house.
[41:46.310 --> 41:47.870]  What? Where is it? What?
[41:47.870 --> 41:50.710]  I may not actually be surveilled.
[41:50.710 --> 41:52.850]  I may not actually have a camera in my house.
[41:52.850 --> 41:58.050]  But if I have that perception, it's still going to affect me.
[41:58.050 --> 42:01.910]  And that's what Calo was trying to get across with his subjective harms.
[42:02.350 --> 42:19.330]  Now, you know, one of the things I want to, going back to my anecdote a little bit ago about the conversation around ethics I had at the IAPP KnowledgeNet, you know, by picking, and this is not all of the privacy norms we're going to discuss,
[42:19.330 --> 42:29.030]  but by picking a model of privacy norms, now the discussion isn't what is ethical and what is unethical.
[42:29.030 --> 42:36.970]  The question is whether your scenario fits within one of these models, and then what do you do about it?
[42:36.970 --> 42:49.230]  So, for instance, if you were to pick Harzog's privacy pillars, now it's not just this kind of ambiguous discussion of is this ethical, is this unethical?
[42:49.290 --> 42:56.250]  Now you just have to relate, well, you know, are we subscribing to obscurity?
[42:56.250 --> 42:58.970]  Are we giving people obscurity or not?
[42:58.970 --> 43:02.010]  Are we giving people autonomy or not?
[43:02.010 --> 43:06.790]  Are we giving people, you know, are we instilling trust or not?
[43:06.790 --> 43:14.010]  And then it just becomes a line-drawing exercise of where are you within or without the model?
[43:14.010 --> 43:24.010]  Not a question of is it ethical or not, and kind of that, you know, almost unanswerable question.
[43:24.010 --> 43:27.190]  I just want to add something.
[43:27.610 --> 43:34.250]  It shouldn't be expected that organizations use it for checklists in developing privacy values.
[43:34.250 --> 43:57.730]  While you're just saying that, if we're thinking in any circumstances and considering those privacy norms, whether it is ethical or not, organizations or businesses or any individual should use it for a checklist.
[43:57.730 --> 44:10.970]  It's a guidance on how to think about privacy values and how to distinguish them from privacy principles and privacy outcomes in the consumer environment or organizations, businesses, that I would say.
[44:11.230 --> 44:13.930]  And I just want to ask something.
[44:14.270 --> 44:17.210]  That will be great for the audience as well.
[44:18.750 --> 44:26.210]  So it can appear in, like, different privacy harms or values may occur at the same time, right?
[44:32.330 --> 44:35.950]  I'm sorry, was that a question to me or to the audience?
[44:36.670 --> 44:38.190]  Like, both.
[44:38.190 --> 44:48.070]  Like, it may occur, like, all the privacy norms may occur at the same time in any circumstance, right?
[44:48.070 --> 44:49.630]  I was just, like, asking.
[44:50.790 --> 44:57.750]  I mean, from my perspective, certainly an activity can fall under many of these models.
[44:57.750 --> 45:01.790]  I'm not sure I quite follow if that's the question.
[45:01.790 --> 45:03.790]  Yeah, I would agree.
[45:04.770 --> 45:08.190]  For instance, hard dogs obscurity.
[45:08.610 --> 45:28.150]  If you're, you could potentially, you know, being losing obscurity, you know, and also violating Prosser's privacy tort of public disclosure because something happened in private and by you exposing it to a larger audience, you know, disclosing it to the public.
[45:28.150 --> 45:43.350]  You've essentially ruined that person's, you know, obscurity in what they were doing because they were reliant on that, that they were doing it, you know, and nobody was paying attention.
[45:44.350 --> 45:45.270]  Yes.
[45:46.230 --> 45:49.670]  Okay, let's dive into solo taxonomy then, right?
[45:49.670 --> 45:55.950]  Well, let me, yeah, so before we do that, hit next real quick, Steve.
[46:00.950 --> 46:10.190]  Yeah, so I just want to point out one additional one that it's not, it's not a model of privacy norm in the traditional sense.
[46:10.390 --> 46:18.430]  Nissenbaum, Helen Nissenbaum is a philosophy professor who has come up with the concept of contextual integrity.
[46:18.430 --> 46:45.830]  And this is related to information privacy harms and it's not a norm as we've described to others where there are certain buckets of activities that we say are normative or non-normative behaviors, but rather it's a way of examining an activity to determine if it meets or does not meet a social norm.
[46:45.830 --> 46:54.430]  And that is looking at five different aspects around an information activity.
[46:54.430 --> 47:05.210]  You have a sender who is transmitting information, have some transmission principle, and then a recipient of that information.
[47:05.210 --> 47:14.690]  And then the black silhouette is meant to represent the data subject about who the information refers.
[47:15.010 --> 47:27.430]  And then I is the actual type of information. Are we talking about health information? Are we talking about, you know, identifying information, contact information?
[47:27.430 --> 47:48.990]  And by looking at these five different factors, then we can essentially, you know, describe this and look, you know, in a given culture or society, does this type of activity exceed or undermine, you know, social norms?
[47:48.990 --> 48:13.950]  So just by way of example, you know, sticking with, say, healthcare information about a particular person, if the sender is a doctor and it's being sent to an insurance company, you know, probably for the most part, you know, they need that information to, you know, to pay the doctor or something like that.
[48:13.950 --> 48:34.210]  So generally, that probably wouldn't violate social norms. If, however, they were posting that information on Facebook and their recipients were their Facebook friends, that could be viewed as a violation of social norms around health data. So that's how that would work. But yeah, next slide.
[48:42.200 --> 49:12.180]  So another model of privacy norm to which I am particularly fond of is Professor Dan Solov's taxonomy of privacy. Now, Dan Solov is a professor of law at George Washington University, and in 2008, he developed this taxonomy of privacy by looking at case law and laws and trying to,
[49:12.180 --> 49:28.180]  from the bottom up, trying to discern what are the different categories or buckets in which we can kind of place things that, you know, people would consider violations of privacy or privacy harms.
[49:28.180 --> 49:51.940]  And what I like about it is the items are fairly discrete and small. It breaks privacy up into 16 different categories or different discrete harms. And so it's much easier than, say, Ryan Calo's objective-subjective harms, which are still kind of broad.
[49:51.940 --> 50:14.320]  So instead of saying a violation of privacy, you might say a violation of objective harms or subjective harms, although they're still very broad categories. Solov's taxonomy is very narrow and easily, you know, easily digestible and discussable. And it's also very comprehensive.
[50:14.320 --> 50:30.420]  I have yet to find, and not to say that there isn't, but I have yet to find something that somebody would say, yeah, that's a violation of privacy that doesn't fall under one of these privacy harms in the Solov taxonomy.
[50:30.420 --> 50:50.840]  Now Solov breaks up privacy into four broad categories. That is information processing, information dissemination, which are both forms of information privacy violation, collection, and then a kind of generic invasions.
[50:50.840 --> 51:06.060]  So we certainly don't have time today to go over each of the 16 individual privacy harms, but I want to touch upon one from each category. Next slide.
[51:16.710 --> 51:38.770]  Okay. So the first one is under information processing and it's identification, linking of information to a particular individual. And I'm going to use an example here. So about two decades ago, about 20 years ago, the state of Massachusetts released medical records from state employees.
[51:38.770 --> 51:57.450]  And it was done so that they could do analysis of, you know, what diseases are happening where, et cetera. Well, a researcher from the Massachusetts Institute of Technology re-identified the then governor of William Weld on that information.
[51:57.450 --> 52:17.110]  And it's because the information, though it was de-identified, they had taken off names and social security numbers, you know, addresses, they still had some information that was particularly identifying. That was the person's gender, their date of birth, their postal code.
[52:17.110 --> 52:34.170]  And the researcher from MIT was able to re-identify the governor based on that information because he was the only one with that date of birth and that gender in that postal code. And she matched it up against, I think, voter rolls or something like that.
[52:34.170 --> 52:54.490]  So it turns out that this sort of information, this gender, date of birth, and postal code, will actually uniquely identify or uniquely identified about 95% of that state employee database release.
[52:54.490 --> 53:07.450]  So there was only a very small minority of people who, you know, had the same date of birth, same gender, and lived in the same postal code. So it was fairly uniquely identifying. Click Next.
[53:08.430 --> 53:29.850]  So the point here isn't to be able to, like, re-identify the governor or even re-identify somebody by name and pinpoint them. The point is to be able to single out a person within your data.
[53:29.850 --> 53:57.330]  And I think this is very apparent or obvious when you start talking about facial recognition. So, I mean, let's say we had a database of photos. Yes, we might be able to re-identify William Weld in those photos. But even being able to say, look, here's person 2, if we can re-identify that person in other photos as that person 2, that's about identification.
[53:57.330 --> 54:25.270]  It doesn't matter that we've necessarily, you know, named them, you know, found out what their legal name is. I mean, it could be John Smith. There could be hundreds of John Smith. But the fact that we can re-identify the same person across multiple photos, that's what, you know, linking of information to a particular person is, to this person number 2. That's what identification, the privacy harm of identification under the Solov taxonomy is.
[54:28.070 --> 54:54.480]  I'm checking. You know, if anybody sees any, has any questions or comments, please feel free to post them. I don't want to feel like this is a one-way street. But go ahead. I heard a beep. No, it's not. Okay. So, maybe I'm not right.
[54:55.980 --> 54:59.420]  Okay. Go ahead and next slide, Steve.
[55:08.020 --> 55:20.340]  So, Solov's category of information dissemination, one of the harms is appropriation, that is using an individual's identity to serve the aims and interests of another.
[55:20.340 --> 55:32.020]  So, this was also a privacy tort under Prosser's list of four privacy torts. So, we typically think about this in terms of celebrities.
[55:32.020 --> 55:51.400]  So, Elon Musk here is not hawking smart pills. But in fact, he is, you know, his image had been appropriated by the seller of these smart pills to try to, you know, promote the sale of these pills.
[55:51.400 --> 55:58.060]  But he didn't endorse them. He wasn't paid for them. So, this is a form of appropriation.
[55:58.060 --> 56:06.460]  Now, while we typically think about this happening to celebrities, it's not just celebrities. Go ahead and click next.
[56:13.120 --> 56:32.520]  This happens to you and me. So, this is my image I found using a Google reverse image search that was on a few years back that was on an Asian dating site that had been appropriated by that dating site to promote their site.
[56:33.560 --> 56:46.980]  And I had never joined or had no intention of joining the site. So, the site was actually, I did the translation, it was promoting Western millionaires, which isn't exactly accurate.
[56:46.980 --> 56:58.220]  Although I'd like to be a millionaire, I'm not quite. So, it's, you know, interesting appropriation. But it's not just, you know, me either.
[56:58.220 --> 57:17.060]  I would say that many people have been appropriated. For instance, when you think about social media, if you click like on something on a product or a website, you know, many social media sites will then promote your name and likeness saying,
[57:17.820 --> 57:32.380]  hey, Jay, you know, like this product to her friends and family. So, it's not a huge privacy invasion, but it is a form of appropriation because she wasn't compensated.
[57:32.380 --> 57:46.060]  Now, one could make the argument, as I'm sure the social media sites do, that the free use of the service is compensation for that appropriation of her image and name.
[57:47.060 --> 58:11.360]  But if you think about it, it's a social media site that you're getting a free use of. It's not the product or service that is essentially getting the advantage, the sellability of her name and likeness that is, you know, they're not taking it or they're not compensating her in any way.
[58:11.360 --> 58:14.660]  Okay. Next slide.
[58:22.420 --> 58:40.200]  So, now we move outside of the information privacy harms under the Solov taxonomy. We move to collection. And interrogation is one of the harms, that is, the questioning or probing for personal information.
[58:40.200 --> 58:50.390]  We typically think of this in terms of like a police interrogation or a suspect or a terrorist being interrogated. But go ahead and click next.
[58:51.570 --> 59:04.350]  This is not necessarily the case. It can be really any questioning or probing for information that's out of context for the situation.
[59:04.350 --> 59:17.830]  So, think about a job interview and a candidate being interviewed for a job. There may be completely appropriate questions. You know, what are your qualifications? Do you have any, you know, background or history in this kind of work?
[59:17.830 --> 59:29.050]  But there may be completely inappropriate. You can imagine a hiring manager asking, and especially in a female candidate, if she was pregnant or planning on becoming pregnant.
[59:29.370 --> 59:41.270]  And, you know, an inappropriate question, a privacy norm violating question, an interrogation that's inappropriate for the interview.
[59:41.270 --> 59:49.130]  So, is it ethical to ask the candidate's ethnicity while you're applying a job?
[59:51.830 --> 59:53.090]  Ethnicity?
[59:53.270 --> 01:00:05.330]  Yeah. Like, while you're applying a job, the company is always, like, companies always ask the candidate what ethnicity they involve.
[01:00:05.330 --> 01:00:23.270]  Okay. So, let me caveat that, say, by, you know, if you're asking if it's ethical, you know, I would, again, refer to the privacy norm of, you know, interrogation.
[01:00:23.270 --> 01:00:33.030]  It's a questioning or probing for information that's out of context and irrelevant to the purpose of hiring.
[01:00:33.030 --> 01:00:47.730]  Now, in the United States, you'll often see the EEOC questions about gender, ethnicity, veteran status.
[01:00:48.910 --> 01:00:51.470]  It seems like there's one other question.
[01:00:52.130 --> 01:01:07.730]  And so, you know, those are not supposed to be used for hiring. They're supposed to be kept separate and just reported to the EEOC to try to limit discrimination in hiring.
[01:01:08.190 --> 01:01:14.770]  So, there may be a purpose there. So, that questioning is separate.
[01:01:15.150 --> 01:01:19.710]  So, you have to really kind of dive into the context of what's going on.
[01:01:19.710 --> 01:01:32.050]  Similarly, with the pregnancy question, generally, we would say that it's completely inappropriate for a hiring manager to ask a candidate whether she was pregnant or planning on becoming pregnant.
[01:01:32.390 --> 01:01:42.590]  Now, if the job were working with hazardous chemicals that could put a pregnancy at risk, it might be appropriate.
[01:01:42.590 --> 01:01:56.790]  Although, I would probably suggest that maybe a better way of handling it is giving information to the candidate that says, this, you know, this job will put a pregnancy at risk.
[01:01:57.110 --> 01:02:05.810]  If you're pregnant, you should seriously consider not applying or, you know, waiting until your pregnancy is determined or something to that effect.
[01:02:05.810 --> 01:02:13.550]  So, giving the candidate control rather than the probing or asking questions there.
[01:02:13.550 --> 01:02:24.130]  Now, notice, I want to pinpoint something that's important on this and why this is not under the information privacy harms under SOLOV's kind of categorization.
[01:02:24.130 --> 01:02:39.730]  And notice, it isn't the actual information. It's not, you know, what the candidate responds, whether she's pregnant or not, or even the information of knowing, you know, of a response or a non-response.
[01:02:39.730 --> 01:02:55.650]  The actual privacy violation here, the harm, is the asking, the questioning, because she may feel uncomfortable, you know, that she's going to feel violated by having that question posed to her.
[01:02:55.650 --> 01:03:05.010]  Not in answering, not in deciding whether or not to answer, but just in the asking of the question, you know, makes her uncomfortable.
[01:03:05.010 --> 01:03:20.830]  And certainly, you know, this is an interesting question or interesting thing related to this specific thing. If she was overweight, it may make her embarrassed by the question being asked, because it's like, no, I'm not pregnant. I'm just overweight.
[01:03:20.830 --> 01:03:39.490]  I had something happen. I was with a friend at a bar, and we were told the waitress was pregnant. And my friend asked the waitress, when are you due? The waitress was like, what are you talking about? Because our waitress was overweight. It was another waitress that was pregnant.
[01:03:39.490 --> 01:03:52.750]  So again, just the questioning or probing for personal information is not the answer. It's not about the information. It's about that act of questioning or probing. Okay. Next slide.
[01:03:59.610 --> 01:04:16.010]  This is the last one I will go over. Again, this is the category of invasion. And the harm here is intrusion. That is disturbing an individual's tranquility or solitude.
[01:04:16.010 --> 01:04:33.240]  So when Polkman Go came out a number of years ago, certainly there were a lot of questions about the privacy of the app. What is it doing with people's data? Is it tracking people 24-7, especially if children are playing the game? There was another privacy issue at play.
[01:04:33.670 --> 01:04:43.610]  So Polkman Go used churches and a number of other places as gyms where people could train their characters and earn points and stuff.
[01:04:43.610 --> 01:04:56.010]  And we'll go ahead and click next. But a number of people had transformed those churches into their private residences.
[01:04:56.010 --> 01:05:16.650]  So you think about people and they're trying to enjoy their home and all of a sudden they've got Polkman Go players trotting through their yard trying to catch their Polkman Go or Polkmans.
[01:05:16.650 --> 01:05:24.430]  So this is about disturbing an individual's tranquility or solitude while they're trying to enjoy their house.
[01:05:24.430 --> 01:05:35.410]  Now, it's not just Polkman Go players, it's vacuum cleaner salespeople, it's religious pamphleteers, you know, showing up while you're trying to eat dinner and they're knocking on your door.
[01:05:35.830 --> 01:05:40.050]  These are all intrusions into your personal space.
[01:05:40.110 --> 01:05:52.470]  Not just about the home, but think about the spam you get. Or back in the old days before browsers kind of put a stop to it, you would go to a website and all of a sudden you get a bunch of pop-up ads.
[01:05:52.470 --> 01:06:02.950]  You're trying to view the website, but you're being intruded upon, you know, and interrupted while trying to do that.
[01:06:03.130 --> 01:06:10.650]  So that concludes our examples of these four privacy harms under the Solove taxonomy.
[01:06:10.650 --> 01:06:17.630]  Like I said, there are a lot more, but what I like about them is they're very discreet and very easy to work with.
[01:06:17.630 --> 01:06:26.450]  And again, you can imagine a company, you know, you're setting, here are the privacy norms to which we subscribe.
[01:06:26.510 --> 01:06:30.210]  We don't want to intrude upon people's tranquility and solitude.
[01:06:30.210 --> 01:06:34.770]  You know, we don't want to interrogate people out of context.
[01:06:34.770 --> 01:06:46.030]  And it just becomes a question of matching, you know, does the scenario that you're considering, are you violating people's privacy, you know, match with the privacy norm?
[01:06:46.030 --> 01:06:54.850]  Not this kind of generic, you know, are we being ethical or not?
[01:06:55.710 --> 01:06:57.970]  Okay, next slide.
[01:07:00.700 --> 01:07:09.280]  AJ, sorry, I know I tend to kind of go off there. Did you have any comments on the Solove taxonomy?
[01:07:12.250 --> 01:07:22.510]  Well, I do think that a Solove taxonomy is the most granular and comprehensive categorization of privacy.
[01:07:22.510 --> 01:07:27.450]  Therefore, it involves all the scenarios under his taxonomy.
[01:07:27.450 --> 01:07:33.330]  I was just like, I liked your slides of Solove taxonomy.
[01:07:34.450 --> 01:07:47.310]  Like, but I would like to, I would like to, I would like to hear more about using these norms in business side and organizations.
[01:07:47.310 --> 01:07:59.530]  Yeah, sure. So, so, you know, I mentioned kind of a broad way of using them. It's just kind of looking at a situation and seeing if you're violating a social norm.
[01:07:59.750 --> 01:08:12.610]  But let's, let's, let's look at a more concrete method of kind of using the norms to drive your privacy, you know, privacy aspects of your business.
[01:08:12.610 --> 01:08:14.330]  Go ahead and click Next.
[01:08:18.890 --> 01:08:19.450]  So...
[01:08:20.270 --> 01:08:22.030]  Oh, go ahead.
[01:08:22.030 --> 01:08:22.530]  So here is...
[01:08:22.530 --> 01:08:25.350]  Oh, right. We were going to compare. Sorry. Yeah, we, right.
[01:08:25.350 --> 01:08:30.350]  Okay. Herzog and Weston are colored with purple in this slide.
[01:08:30.390 --> 01:08:35.810]  And we're going to talk with Jason more about a Solove taxonomy in this table as well.
[01:08:35.810 --> 01:08:39.710]  But purple side is harm-based privacy definitions.
[01:08:39.710 --> 01:08:45.890]  As we stated at the beginning, an orange color refers to their harm-based privacy definitions.
[01:08:46.770 --> 01:08:58.990]  Like we can see the autonomy of the Herzog's pillars of privacy refers to decisional interference, exclusion, blackmail, and distortion in Solove's taxonomy.
[01:08:58.990 --> 01:09:03.670]  And it includes the objective harms in Callow.
[01:09:03.670 --> 01:09:19.270]  And we don't see any reference, reference between the connection between Prosser's false light with Herzog's pillars of privacy, Weston's status privacy, and Callow's subjective and objective.
[01:09:19.710 --> 01:09:22.190]  But we can see the Solove's distortion.
[01:09:22.630 --> 01:09:27.770]  We, I mean, Jason didn't get involved in the whole Solove taxonomy.
[01:09:27.770 --> 01:09:37.950]  But we would like to hear about decision interference definition because it's also in Asian and it's more broad.
[01:09:37.950 --> 01:09:47.590]  It has more broad definition in decision interference, which also refers in Herzog's pillars of privacy.
[01:09:47.590 --> 01:09:57.730]  We can see the definition of decision interference as intruding into an individual's decision-making regarding their private affairs.
[01:09:57.730 --> 01:10:04.230]  There is another side of, another perspective in decision interference as manipulation.
[01:10:04.810 --> 01:10:08.850]  So do you want to talk about this, Jason?
[01:10:09.090 --> 01:10:22.070]  So what I just want to say, so first off, just to clarify and what this chart, and I think we've got a couple more, illustrate is that you can map the different models together.
[01:10:22.070 --> 01:10:31.850]  So as AJ pointed out, autonomy under Herzog can be mapped to Solove's decisional interference, exclusion, and blackmail.
[01:10:31.850 --> 01:10:42.150]  So the prototypical case for decisional interference was a case at the Supreme Court level.
[01:10:42.370 --> 01:10:59.150]  It was Griswold v. Connecticut that decided under the U.S. Constitution, since there's not a direct right to privacy, but it found a right to privacy in the penumbra of rights, as the Supreme Court called it,
[01:10:59.150 --> 01:11:08.710]  that there was a question, the state of Connecticut was not allowing married couples to purchase contraceptives.
[01:11:08.710 --> 01:11:13.350]  They made contraceptives illegal. This was back in the 50s and 60s.
[01:11:13.610 --> 01:11:21.390]  And it went up to the Supreme Court, and the Supreme Court said that that was not the purview of the state,
[01:11:21.390 --> 01:11:30.810]  that that was a violation of essentially the right of privacy under the Constitution, even though there is no constitutional amendment that says right of privacy.
[01:11:30.810 --> 01:11:47.450]  It was found in a penumbra of other rights, and this was an interference into the decision-making into the private affairs of that couple, and that the state did not have a right to make that decision.
[01:11:47.450 --> 01:12:04.550]  This goes similar to Lawrence v. Texas, which says the state doesn't have a right to preclude homosexual couples or homosexuals from engaging in sexual activity in the privacy of their own bedroom,
[01:12:04.550 --> 01:12:15.350]  because it's a decision that they alone have the right to make, and that the state should not interfere with that decision-making.
[01:12:15.350 --> 01:12:29.370]  And again, you can see how this relates to autonomy and that individuals have a decision, a freedom to act as their own decision-makers.
[01:12:29.710 --> 01:12:33.290]  Similarly, if you just go down to blackmail, I want to compare that.
[01:12:35.630 --> 01:12:46.370]  Blackmail also, it's about decisions about the use of information and saying, hey, unless you pay me $100, I'm going to release this photo.
[01:12:46.370 --> 01:12:59.490]  I'm essentially interfering with your decision and your right to make a decision of how to release or when or if to release information about you, again, interfering with your autonomy.
[01:12:59.490 --> 01:13:08.090]  And if you look at Kalo's objective harms, which as you see maps up here, that is about the coerced use of information.
[01:13:08.330 --> 01:13:20.370]  I'm using information, you know, a photo of you, and I'm doing it in a coercive manner that says either you pay me $100 or I'm going to release this information.
[01:13:20.470 --> 01:13:25.950]  So you can see how that, you know, those things map together.
[01:13:28.070 --> 01:13:32.710]  Next slide. I know we've got a couple to get through, so I want to go to the next slide.
[01:13:33.710 --> 01:13:44.410]  And you can do this for all of the different, you know, all of the different categories under all of these models.
[01:13:44.630 --> 01:13:45.190]  AJ?
[01:13:46.160 --> 01:14:01.830]  I don't want to get involved in all of the things, but you can see that, like, in Solo's taxonomy, it just, it refers to all the privacy norms in this chart.
[01:14:01.830 --> 01:14:16.020]  So we can see that in Hard Sock's pillars of privacy, obscurity refers to disclosure, exposure, appropriation, surveillance, interrogation, intrusion, identification, aggregation, increased accessibility.
[01:14:16.020 --> 01:14:26.740]  However, we're not seeing in, like, Prosser's kind of law of privacy towards, and we're not seeing this in Weston.
[01:14:26.740 --> 01:14:36.480]  They're so, they're so just involving, they're just so not, they're just broad, and they're not referring to all things.
[01:14:36.480 --> 01:14:40.280]  And I think that there's some issues in the table.
[01:14:40.280 --> 01:14:49.120]  If Jason, if Steve shows the next slide, I was, I was concerning something in this.
[01:14:50.080 --> 01:14:55.500]  This model of privacy norms is just a model.
[01:14:55.500 --> 01:14:58.460]  So it shouldn't be, it shouldn't be correct.
[01:14:58.460 --> 01:15:01.580]  And it depends upon the persons of persons.
[01:15:01.580 --> 01:15:05.040]  We, I have to, I have to just add it.
[01:15:05.040 --> 01:15:11.840]  For example, the trust means a willingness to become vulnerable to the actions of another.
[01:15:11.840 --> 01:15:14.840]  So it depends on the individuals to individuals.
[01:15:14.840 --> 01:15:24.940]  And we're just, we just stated that in Solow's taxonomy, breach of confidentiality, secondary use, and insecurity in here.
[01:15:24.940 --> 01:15:33.340]  So I was questioning, and I was concerning whether we could add the privacy harm of exclusion to this table.
[01:15:35.420 --> 01:15:39.100]  It's more relevant with the Hartzog's trust definition too.
[01:15:39.100 --> 01:15:40.760]  What do you think, Jason?
[01:15:43.460 --> 01:15:44.760]  It's possible.
[01:15:44.760 --> 01:15:46.940]  I, you know, maybe we should take that offline.
[01:15:47.580 --> 01:15:50.940]  Just because we haven't really explained to people what exclusion is.
[01:15:50.940 --> 01:15:54.180]  I'm sure they don't want us going down the weeds too far.
[01:15:54.580 --> 01:16:00.660]  But certainly, you know, this isn't, this, this, this chart isn't meant to be.
[01:16:00.660 --> 01:16:12.620]  In the chart I published, there is actually a disclaimer that there may be mappings that are uncovered by the chart.
[01:16:12.620 --> 01:16:28.800]  But the point I want to use, go into here with this last one is we can use this, a business can use this to create its own privacy values specific to its business.
[01:16:28.800 --> 01:16:31.240]  So go ahead and click the next slide.
[01:16:37.530 --> 01:16:48.950]  So let's say we wanted to use Hartzog's trust, Weston's intimacy, Kalo's objective harm, and then Solov's breach of confidentiality, secondary use, and insecurity.
[01:16:48.950 --> 01:16:55.050]  And we don't want to use any of those in particular, but we wanted to create something specific for our organization.
[01:16:55.310 --> 01:16:56.770]  Go ahead and click next.
[01:16:58.870 --> 01:17:05.670]  Let's say we were running a service called Texacleric.
[01:17:05.670 --> 01:17:18.130]  And the purpose of this service is to allow parishioners to send a message to a religious leader and get back advice or, or just hold a confessional.
[01:17:18.130 --> 01:17:34.530]  So we could develop a privacy value for this service, and we're going to call it seal of confession, and say Texacleric will protect and not use or reveal any information divulged.
[01:17:34.670 --> 01:17:45.750]  So in that simple declarative statement, we've kind of combined all of these normative values into a privacy value for the organization.
[01:17:45.750 --> 01:17:58.010]  So we've imbued trust, because we want our parishioners to trust that we're going to protect their information, not use it, or not reveal it.
[01:17:58.870 --> 01:18:13.390]  Intimacy, we've created this intimate environment where individuals can feel that they're in an intimate, closed environment with their religious leader that they're talking to.
[01:18:14.370 --> 01:18:23.910]  We are not using, you know, we're not violating Kalo's objective harms. We're not using it in an information in an unanticipated or coerced way.
[01:18:24.050 --> 01:18:31.290]  We're also not breaching confidentiality. You know, again, we're not going to use or we're not going to reveal this information.
[01:18:31.390 --> 01:18:39.890]  And we typically think of, you know, the clergy as having a duty of confidentiality when things are said in a confessional.
[01:18:39.890 --> 01:18:50.670]  We're not violating secondary use. Again, we're not using this information for other than religious, you know, providing religious salvation.
[01:18:50.710 --> 01:18:57.110]  And insecurity, we are not, you know, handling the information in an insecure manner.
[01:18:57.130 --> 01:19:05.830]  So this is how we would develop a very simple privacy value that then we can manage, you know, the organization against.
[01:19:05.830 --> 01:19:15.670]  Now, how would you use this in a proactive way in developing your organization's activities?
[01:19:15.670 --> 01:19:18.310]  So go ahead and click Next.
[01:19:25.230 --> 01:19:32.890]  So NIST earlier in the year published their Privacy Framework.
[01:19:32.890 --> 01:19:47.250]  And what the Privacy Framework does is it provides a lot of functions and activities that an organization can do to have a functioning privacy program.
[01:19:47.250 --> 01:19:54.050]  So it divides these into five functional areas.
[01:19:54.050 --> 01:20:01.610]  That is identify, govern, control, communicate, and protect.
[01:20:01.610 --> 01:20:08.550]  And they actually have 100 different subcategories of activities that organization can do.
[01:20:08.550 --> 01:20:13.710]  And you can think of these activities in the NIST Privacy Framework as muffin pans.
[01:20:13.730 --> 01:20:16.610]  So they're like muffin pans.
[01:20:16.610 --> 01:20:25.110]  And then your job as an organization is to figure out which muffin pans to fill in and what kind of muffins you're going to actually bake in them.
[01:20:25.110 --> 01:20:28.030]  Are you baking cornbread muffins, blueberry muffins?
[01:20:28.030 --> 01:20:29.890]  Are you making cupcakes?
[01:20:29.890 --> 01:20:36.010]  And what are the ingredients that you're going to use to bake all of these different muffins?
[01:20:36.010 --> 01:20:38.430]  Go ahead and click Next.
[01:20:42.110 --> 01:20:54.990]  So by having this privacy value, this can help us identify what are the ingredients that are going to go into these muffin pans into this framework.
[01:20:54.990 --> 01:21:07.410]  And so, for instance, related to identity, one of the identity subcategories, one of the muffin holes, is data actions of the system, product, service, or inventory.
[01:21:08.510 --> 01:21:17.510]  So here, in order to meet this privacy value of seal of confession that we've defined,
[01:21:17.510 --> 01:21:30.190]  we may say all touch points for confessional message data are kept in system architecture diagrams so that we can identify, you know, where we need to protect this data,
[01:21:30.190 --> 01:21:42.730]  where we need to make sure we're not using it for other purposes, and where we're, you know, make sure it's not being revealed or disclosed to people outside of our system.
[01:21:42.730 --> 01:21:54.390]  So if our architecture diagram shows a, you know, a line going off to a marketing company, hey, whoa, we're breaking our seal of confessional, our privacy value.
[01:21:54.550 --> 01:22:02.530]  So that would help us along. And I'm not going to read all of these. But, you know, I might go down to the bottom one of protect.
[01:22:02.530 --> 01:22:12.950]  Data in transit are protected. Well, in order to meet our seal of confessional value, you know, our particular ingredient, our particular activity,
[01:22:12.950 --> 01:22:20.470]  is that data between the parishioners app in which they are sending these messages, and our system are encrypted.
[01:22:20.470 --> 01:22:32.070]  That might be one of many ingredients that goes into saying data in transit are protected, and also meeting our privacy value of seal of confession.
[01:22:33.650 --> 01:22:36.090]  Jay, did you have any comments on this?
[01:22:36.370 --> 01:22:45.930]  We can also combine it with solo taxonomy as well. In the first column, foredraw, it says data are destroyed according to policy.
[01:22:45.930 --> 01:22:53.230]  I would say it's the privacy harm of insecurity in solo taxonomy. So we can combine with solo taxonomy, right?
[01:22:54.290 --> 01:23:02.230]  Yeah, so certainly you'll see a lot of overlap in terms of... so she's looking at the second line from the top.
[01:23:02.230 --> 01:23:07.610]  And one of the subcategories is data are destroyed according to policy.
[01:23:08.330 --> 01:23:22.090]  And so defining that policy is going to help with insecurity. But remember, insecurity get into creating our seal of confession privacy value.
[01:23:22.090 --> 01:23:36.590]  So whether you want to go directly against the solo taxonomy, or against our synthetic derived privacy value specific to our organization, you can go about it either way.
[01:23:36.590 --> 01:23:44.930]  You don't have to derive your own privacy values, you can go directly against any of the models that we've suggested or others.
[01:23:44.930 --> 01:24:01.370]  Harzog, Weston, Prosser, Kalo, Solove, Nissenbaum. Again, there are many others or you can create what I'm suggesting is it might be easy to create sort of these hybrid privacy values specific to your organization.
[01:24:03.110 --> 01:24:04.530]  Thank you.
[01:24:04.530 --> 01:24:06.390]  Okay, next.
[01:24:08.950 --> 01:24:22.790]  Okay, now we're going to talk about a privacy wiki. We created privacy wiki in order to see what the United States laws protect individuals from the privacy harms on a solo taxonomy and those social norms.
[01:24:22.790 --> 01:24:38.110]  I would like to thank for Professor Fay Jones with her support and into privacy. We also thought it could be better to demonstrate latest privacy articles and privacy related cases combined with taxonomy as well.
[01:24:38.110 --> 01:24:46.070]  In this wiki, it now includes over 100 privacy related articles. So you may go check them out as well.
[01:24:46.070 --> 01:24:47.730]  So next slide.
[01:24:48.990 --> 01:25:10.030]  So privacy wiki is basically a wiki dedicated to privacy laws, events and articles. It is organized around solo taxonomy and its 16 privacy harms. It currently has 78 US federal laws and over 300 state laws that were met with solo taxonomy.
[01:25:10.030 --> 01:25:25.400]  Furthermore, when we're editing articles, which are also like, as I said, over 100, we also use some other aspects of privacy by design like in Huffman strategies and tactics.
[01:25:27.050 --> 01:25:29.400]  So next slide.
[01:25:31.500 --> 01:25:48.560]  Before starting this research or wiki, the issue was whether the United States privacy related laws generally protect or preserve citizens or individuals from privacy violations or harms on our solo taxonomy.
[01:25:48.560 --> 01:26:03.520]  We had at this table at the beginning, which you can see, we had only had some federal laws, and we did not even establish the harms of appropriation, decisional interference, interrogation or even item scattering.
[01:26:03.520 --> 01:26:21.900]  So you may see it in the right upper corner, appropriation. So we're not seeing any harms under all the federal laws in this listed table.
[01:26:21.900 --> 01:26:39.900]  However, we just involved it and mapped the 40 over 100 or over 400 state over 400 United States laws. So we just dive in and found a lot of protection privacy harms under those laws.
[01:26:39.900 --> 01:26:53.860]  However, we always say that the United States privacy related laws do not protect all citizens from the privacy violations or harms on the solo taxonomy. So next slide.
[01:26:56.580 --> 01:27:07.610]  In taxonomy page of the wiki, we are stating as this, the United States law has been failed by not addressing privacy harms and violations.
[01:27:07.610 --> 01:27:21.750]  However, under the fourth amendment, over 300 state privacy laws, specific privacy related federal laws and precedents identify and protect some privacy violations and harms that has been addressed by sole law.
[01:27:21.750 --> 01:27:36.270]  Moreover, although some state laws do not cover all the privacy violations, the other state all industry violations such as California, he argues that privacy and society are indivisible integrity.
[01:27:36.270 --> 01:27:46.190]  Therefore, it is categorized to identify and understand socially recognized privacy violations with basic groups of harmful activities.
[01:27:46.550 --> 01:28:01.070]  It mainly covers what we did. If you scroll down the page in the wiki, you can see all the column links that indicates all 16 privacy harms and laws that are related with the harms.
[01:28:01.070 --> 01:28:14.090]  If you would like to discover it or are interested in taking a look at it, you can see the harms of blackmail, appropriation, distortion and intrusion have less protected than the harms in the United States.
[01:28:14.090 --> 01:28:18.510]  If Steve may click it, you can see all the laws.
[01:28:21.630 --> 01:28:29.310]  Yeah, here are the interrogation, aggregation, security identification, secondary use.
[01:28:35.580 --> 01:28:51.760]  See, there are more laws than the beginning of this research. So if you're interested in how to look at it, that will be great for covering all the presentations and slides.
[01:28:51.760 --> 01:29:21.940]  So next slide. It takes time. Can you click the next slide? Okay.
[01:29:22.460 --> 01:29:40.620]  Okay. We have in this wiki, we have sample forms for federal laws. And this list includes short title for understanding which law refers it.
[01:29:40.620 --> 01:29:54.520]  In this example, in the sample forms, we stated FERPA, DPPA and HIPAA, which are literally more broad and most popular privacy-related federal laws.
[01:29:54.520 --> 01:30:11.180]  And we just added the official text in this form in order to provide an official text and in order to provide a current text via link.
[01:30:11.180 --> 01:30:27.980]  And we included the country because we're going to involve in the EU laws as well in the future. Therefore, we included the country and we just cannot understand which, I mean, where the law is enacted, was enacted.
[01:30:27.980 --> 01:30:37.420]  And we added the state or province for the state laws. Therefore, it's in here. But we may change it for federal laws in the future.
[01:30:37.420 --> 01:30:53.520]  We stated regulatory bodies in this form. However, because they're sample forms, they're just wrong. Regulatory bodies shouldn't be stated as United States Congress.
[01:30:53.520 --> 01:31:09.100]  We added the dates enacted, time for showing the time and scope of the law in the list and personal information. And we stated the taxonomy.
[01:31:09.100 --> 01:31:27.360]  And we're going to add the strategies and tactics under the Hoopman strategy in the future. But we generally mapped over 400 United States privacy-related laws with the taxonomy. So you may see these forms in the wiki.
[01:31:27.360 --> 01:31:47.940]  So next slide. State laws also include the same form. So it still includes a short title, official tax, country, jurisdiction, state or province, regulatory bodies, date enacted, scope of the law, personal information, taxonomy, strategies and tactics.
[01:31:47.940 --> 01:32:01.140]  So we show the Illinois BIPA in here and California's CCPA. We also add those laws in this wiki. So next slide.
[01:32:03.840 --> 01:32:24.880]  Maybe everyone's just like concerning, okay, you just mapped those laws on soil taxonomy. And you're stating those things in your form. However, like, how can we see those taxonomy forms in a specific law?
[01:32:24.880 --> 01:32:45.140]  So here's an Illinois BIPA example. In the right side, we're just seeing the form. In the left side, on the whole page, we are seeing the whole laws and provisions and sections in this site.
[01:32:45.140 --> 01:33:13.540]  And if you would like to see a taxonomy harm that is protected under the law, you can see after the provision or after the section, a little font, the name of the privacy harm that is stated on a soil taxonomy.
[01:33:13.540 --> 01:33:36.900]  And if you're interested in learning those privacy harms, and if you would like to see the related laws that protect surveillance or any other harm on a soil taxonomy, you can access with those little links.
[01:33:37.900 --> 01:33:39.240]  So next slide.
[01:33:39.240 --> 01:33:47.020]  Hold on, just to clarify. And sorry, if you covered this, I distracted momentarily.
[01:33:47.020 --> 01:33:48.080]  Yeah, of course.
[01:33:48.080 --> 01:34:12.740]  So it's hard to see in this slide, because I know it's kind of small, but in the kind of insert that's popped up, the actual law is written, but there is a text that says surveillance, and it pinpoints the part of the law that covers surveillance.
[01:34:12.740 --> 01:34:22.200]  For instance, in BIPA, it says no private party may collect, and then it's about a person's biometric identifier.
[01:34:22.200 --> 01:34:25.960]  So remember that collection, surveillance was part of collection.
[01:34:25.960 --> 01:34:29.620]  So that is recording, watching, listening to, monitoring.
[01:34:30.240 --> 01:34:38.300]  So that collection process is what BIPA is trying to stop or one of the things that BIPA is trying to stop.
[01:34:38.300 --> 01:34:43.560]  And so that's why it's related to the SOLA surveillance harm.
[01:34:43.600 --> 01:34:45.120]  So that's why we tag it.
[01:34:45.120 --> 01:34:52.640]  So it's tagged specifically in the law, exactly where in the text of the law it aims to prevent surveillance.
[01:34:52.980 --> 01:34:54.280]  Thanks for adding.
[01:34:55.840 --> 01:34:56.560]  Okay.
[01:35:02.860 --> 01:35:07.700]  Would you like to talk about a simple form for articles and privacy news?
[01:35:07.700 --> 01:35:08.240]  Oh, sure.
[01:35:08.240 --> 01:35:18.440]  So in addition to over 300 laws in the wiki right now, there's at least 100, maybe over 200 articles.
[01:35:18.480 --> 01:35:24.820]  And by the way, Steve, I just looked to see if there was anything about Hobby Lobby in there yet.
[01:35:24.820 --> 01:35:37.420]  The only thing related to Hobby Lobby was something about some guy following women around with a camera and happened to be following people in a Hobby Lobby, but not the particular...
[01:35:37.420 --> 01:35:43.680]  I know the incident you're talking about. Unfortunately, we don't have that article in yet, but we can hopefully issue it.
[01:35:44.260 --> 01:35:45.240]  By the way, somebody...
[01:35:45.240 --> 01:35:47.240]  I expect that from Hobby Lobby. Sorry.
[01:35:47.340 --> 01:35:47.920]  Pardon?
[01:35:51.560 --> 01:35:52.360]  Again?
[01:35:54.020 --> 01:35:58.480]  Oh, no, sorry. I was saying I'd expect that from somebody at Hobby Lobby with a camera being followed.
[01:35:59.680 --> 01:36:02.860]  So somebody was... Oh, okay. So we've got it.
[01:36:02.860 --> 01:36:09.420]  Okay. Anyway, so like I was saying, there's a couple hundred articles, certainly room for more.
[01:36:10.320 --> 01:36:16.500]  You know, we have one person right now that is putting in articles, Maria, who is not on the call.
[01:36:17.200 --> 01:36:22.140]  But, you know, I mean, there's certainly opportunity for hundreds of more articles.
[01:36:22.140 --> 01:36:32.800]  What I love about this is it provides an opportunity to people see examples and kind of categorize and it's like, oh, yeah, this is an example of surveillance.
[01:36:32.800 --> 01:36:35.500]  This is an example of interrogation.
[01:36:35.520 --> 01:36:44.200]  And it really kind of makes these concepts much more concrete by having very real life examples of this.
[01:36:45.540 --> 01:36:48.720]  So within this, you know, we have a short title.
[01:36:48.720 --> 01:36:50.820]  We have, you know, where did this happen?
[01:36:50.820 --> 01:36:58.020]  The location, the date that it happened, you know, if it's a specific date or maybe just a year.
[01:36:58.340 --> 01:37:02.760]  And what privacy harms under the taxonomy were relevant?
[01:37:03.040 --> 01:37:08.360]  What information, types of information were appropriated?
[01:37:08.360 --> 01:37:14.000]  So this one, which was about the Twitter account hack, you know, we talk about insecurity.
[01:37:14.000 --> 01:37:16.200]  So Twitter was being insecure.
[01:37:16.640 --> 01:37:23.480]  Appropriation, the hacker used the names and likeness of those people's accounts.
[01:37:23.480 --> 01:37:27.000]  He appropriated those accounts for his own purpose.
[01:37:27.320 --> 01:37:34.300]  Interrogation, I forget what the interrogation was, but maybe they were asking some type of questions of people.
[01:37:34.300 --> 01:37:40.520]  So the information here was authentication information, was at play.
[01:37:40.520 --> 01:37:42.380]  Identifying information.
[01:37:42.380 --> 01:37:44.620]  Social network, again, Twitter.
[01:37:45.000 --> 01:37:50.960]  And communication information that was being communicated from one party to another.
[01:37:50.960 --> 01:37:52.680]  Go ahead and click.
[01:37:54.980 --> 01:37:58.740]  And so that's kind of like the high profile panel.
[01:37:58.740 --> 01:38:10.620]  But then, of course, we have a much more detailed description and discussion of what actually happened and why these particular privacy harms were at play.
[01:38:10.740 --> 01:38:16.980]  And all of our articles, we don't write articles, you know, nothing is new to us.
[01:38:16.980 --> 01:38:23.540]  These are related to articles, you know, that pop up in major news sources.
[01:38:23.540 --> 01:38:34.540]  So, you know, once in a while we get something that maybe, I've seen a couple of incidences on Twitter that, you know, people, you know, more personal incidents.
[01:38:34.540 --> 01:38:35.860]  Oh, this happened to me.
[01:38:36.000 --> 01:38:43.040]  There was one I wanted to put in, but didn't get permission of the, again, we asked for permission if it's something like that.
[01:38:43.040 --> 01:38:53.060]  I didn't get permission of the account poster, but they were, you know, they had ordered a pizza and then the pizza delivery guy had solicited a date with her afterwards.
[01:38:53.060 --> 01:38:56.500]  Using her phone number to contact her later that evening.
[01:38:56.500 --> 01:39:00.340]  Hey, I delivered your pizza. Are you available to date?
[01:39:00.340 --> 01:39:08.620]  So, but generally we try to put in major news stories, which there are certainly no shortage of.
[01:39:08.620 --> 01:39:16.220]  And, you know, another issue, one of the reasons I wanted to work on this is because I was always having trouble doing Google searches.
[01:39:16.220 --> 01:39:20.780]  I was like, oh, wasn't there some issue about Hobby Lobby, for instance?
[01:39:20.780 --> 01:39:27.820]  And I would put in Hobby Lobby privacy into, you know, Google or another search engine and what would come up?
[01:39:27.820 --> 01:39:33.580]  Well, Hobby Lobby's privacy policy or a news story about Hobby Lobby.
[01:39:33.580 --> 01:39:39.660]  But then, you know, the only thing privacy was that, you know, CNN's privacy link.
[01:39:39.660 --> 01:39:41.980]  It wasn't about Hobby Lobby and privacy.
[01:39:41.980 --> 01:39:51.180]  So I wanted a centralized place that I could research articles and stories about privacy related to all these issues.
[01:39:51.960 --> 01:39:53.400]  Click next.
[01:39:54.760 --> 01:39:59.040]  I can't remember, is that, or is that our last, that's not our last slide, is it?
[01:39:59.600 --> 01:40:00.580]  It was.
[01:40:00.580 --> 01:40:02.820]  Okay, so discussion.
[01:40:02.880 --> 01:40:09.600]  Now that we've used up almost our entire two hours, and I don't know how we did that, except lots of talking.
[01:40:09.600 --> 01:40:16.100]  And I appreciate everyone for sticking around so long and not running away.
[01:40:17.240 --> 01:40:23.840]  But certainly if there's, you know, any questions, comments, thoughts about this.
[01:40:24.840 --> 01:40:27.840]  Walt wants the new law from Brazil.
[01:40:27.880 --> 01:40:28.920]  That would be great.
[01:40:28.920 --> 01:40:31.540]  So what we are doing...
[01:40:31.540 --> 01:40:36.740]  Oh, yeah, AJ says it includes the Turkish data protection law.
[01:40:37.720 --> 01:40:41.780]  Because AJ is in Turkey and knows a lot about that, knows a lot about that.
[01:40:41.780 --> 01:40:45.420]  So we are adding international laws.
[01:40:45.420 --> 01:40:49.840]  We have somebody in the UK who is adding UK laws.
[01:40:49.900 --> 01:40:50.420]  Australia.
[01:40:51.200 --> 01:40:52.520]  What now, Australia?
[01:40:52.520 --> 01:40:53.460]  Oh, we do?
[01:40:53.460 --> 01:40:54.460]  Okay, good.
[01:40:55.100 --> 01:41:03.580]  And, you know, so we're kind of reliant on volunteers for all the international ones.
[01:41:04.420 --> 01:41:06.620]  You know, just because it's so overwhelming.
[01:41:06.620 --> 01:41:10.100]  I mean, we had enough work putting in the U.S. state laws.
[01:41:10.100 --> 01:41:13.520]  And we're actually looking for volunteers to keep the states updated.
[01:41:13.520 --> 01:41:16.820]  I think we have slightly less than 10 volunteers.
[01:41:16.820 --> 01:41:19.520]  And we asked for a volunteer per state.
[01:41:19.520 --> 01:41:25.540]  Just as new states, like I'm in Florida, and we just enacted a new law recently.
[01:41:26.500 --> 01:41:30.840]  And, you know, so all laws get updated or changed.
[01:41:30.980 --> 01:41:35.320]  So having to keep track of that is a monumental undertaking.
[01:41:35.680 --> 01:41:42.580]  Not to mention adding all the stories that are coming at a breakneck pace every day.
[01:41:42.580 --> 01:41:46.700]  And even trying to catch up with privacy-related stories.
[01:41:46.900 --> 01:41:48.280]  But, yeah.
[01:41:53.060 --> 01:41:55.700]  Yeah, feel free to ask questions.
[01:41:57.140 --> 01:42:04.460]  And we will certainly stick around until the top of the hour and the next speaker.
[01:42:05.020 --> 01:42:08.160]  Yeah. And, of course, we're going to share the slides.
[01:42:09.460 --> 01:42:13.260]  Yeah, and Steve, do you want us to send that to you?
[01:42:13.600 --> 01:42:17.020]  Or you already have it, I guess, so we don't need to send it to you.
[01:42:17.020 --> 01:42:18.140]  You have it.
[01:42:18.420 --> 01:42:19.360]  Yeah, definitely.
[01:42:20.080 --> 01:42:23.340]  I'm more than happy to share them a little bit later on.
[01:42:23.340 --> 01:42:29.620]  So I'll make sure to post those somewhere and see if you all can flip them a little bit, moving down the line.
[01:42:29.820 --> 01:42:34.980]  I want to thank Jason and AJ again for doing this really awesome talk.
[01:42:35.560 --> 01:42:37.240]  This is something that we really need.
[01:42:37.240 --> 01:42:41.140]  We need to really define a lot of these different privacy laws moving forward.
[01:42:41.140 --> 01:42:47.160]  Because, I mean, honestly, it's going to be the future with all these services, especially.
[01:42:47.160 --> 01:42:52.920]  So everybody, I guess, do a round of applause, I guess, wherever you're at, for our speakers.
[01:42:52.920 --> 01:42:56.920]  And it looks like they'll be sticking around if anybody has any questions.
[01:42:57.280 --> 01:43:01.600]  They have the voice channel for another at least 20 minutes.
[01:43:01.600 --> 01:43:04.620]  So thank you again, y'all, and yeah.
[01:43:07.530 --> 01:43:12.190]  I'm looking for... so I'm new to Discord. How do I do an applause?
[01:43:12.190 --> 01:43:21.210]  Is there a... I'm looking for... I guess, maybe, is there a GIF I can do with applause?
[01:43:24.130 --> 01:43:25.490]  I think you'll...
[01:43:26.490 --> 01:43:28.150]  Yeah, there we go.
[01:43:30.910 --> 01:43:34.950]  And that's applause for the people who stuck around to listen.
[01:44:20.450 --> 01:44:23.930]  AJ, what is it, about 2 o'clock in the morning there?
[01:44:33.400 --> 01:44:37.800]  She must have dropped off because it is about 2 o'clock in the morning there.
[01:44:37.800 --> 01:44:40.920]  She must have fallen asleep. It's pretty late.
[01:44:42.740 --> 01:44:46.540]  Hopefully, she was able to stay up. And luckily, it was on a Friday night.
[01:44:46.540 --> 01:44:49.840]  So hopefully, she's got nothing going on tomorrow.
[01:45:00.610 --> 01:45:06.490]  I guess we didn't get any trolls or anybody trying to hack the channel, huh?
[01:45:06.490 --> 01:45:13.130]  I was a little bit happy for that, because we had, I think, yesterday, and even on Thursday,
[01:45:13.130 --> 01:45:18.250]  we had Discord completely crash, slash, shut down, slash, I don't know what happened.
[01:45:18.330 --> 01:45:22.890]  So I'm really glad that it didn't go down, because, yeah, that was interesting.
[01:45:22.890 --> 01:45:27.430]  We were doing some live training, and everything just pretty much died.
[01:45:27.430 --> 01:45:31.330]  And in the true fashion of DEF CON, if we haven't crashed Discord, it's not really a DEF CON.
[01:45:31.330 --> 01:45:35.050]  Or done anything unintentionally malicious.
[01:45:35.050 --> 01:45:42.670]  So you've done Ethics Village. I've never been to actual DEF CON.
[01:45:42.670 --> 01:45:45.970]  I go to a lot of conferences, but that's not one I've touched upon.
[01:45:45.970 --> 01:45:56.590]  Although I do have a DEF CON deck of playing cards from 2015 that I won in a poker game.
[01:45:57.030 --> 01:46:00.030]  So that's about as close as I've gotten.
[01:46:00.030 --> 01:46:03.710]  It's actually pretty cool. I meant to bring them out, because they're...
[01:46:03.710 --> 01:46:06.810]  Although my screen shut down.
[01:46:07.770 --> 01:46:12.070]  The jokers are hackers, and it's got a pretty good...
[01:46:12.070 --> 01:46:14.810]  The graphic design is pretty interesting.
[01:46:15.290 --> 01:46:20.190]  So you've done Ethics Village before, at the actual event?
[01:46:20.370 --> 01:46:23.610]  Yeah, definitely. So this is, I think, I believe...
[01:46:23.610 --> 01:46:27.730]  And if the Fixer, or at Irish Bug, or anyone who's listening,
[01:46:27.730 --> 01:46:31.850]  and I believe this is the third year we're doing it,
[01:46:31.850 --> 01:46:33.610]  or maybe possibly the fourth year.
[01:46:33.610 --> 01:46:40.590]  So essentially, Ethics Village originally started, believe it or not, as a university project.
[01:46:41.010 --> 01:46:46.530]  Irish Bug and Dr. Wardog were both... third year, there you go, third year.
[01:46:46.530 --> 01:46:50.170]  They're both faculty slash staff at the University of Illinois.
[01:46:50.710 --> 01:46:54.230]  Also the same university where AJ was mentioning.
[01:46:54.750 --> 01:46:59.730]  And they essentially created a... there's a privacy and ethics class,
[01:46:59.730 --> 01:47:02.490]  and Ethics Village was born out of that.
[01:47:02.570 --> 01:47:06.690]  So what ended up happening was one day, the class assignment was,
[01:47:06.690 --> 01:47:10.770]  hey, let's do a DEF CON Ethics Village,
[01:47:10.770 --> 01:47:14.490]  and Irish Bug can attest a little more to that.
[01:47:14.490 --> 01:47:19.670]  He's actually the... him and Dr. Wardog are the original creators.
[01:47:19.670 --> 01:47:25.510]  So I just kind of tagged along since I've worked with them on some security stuff as well.
[01:47:25.510 --> 01:47:28.110]  So yeah, we're in our third year.
[01:47:28.110 --> 01:47:31.530]  And unfortunately, you know, this is a... we can't do it live.
[01:47:31.530 --> 01:47:34.850]  We usually have fun, and we even have cool t-shirts.
[01:47:35.110 --> 01:47:37.050]  You'll see my shirt.
[01:47:37.530 --> 01:47:42.690]  So hopefully next year we all get to see folks again, you know, personally,
[01:47:42.690 --> 01:47:47.790]  because it tends to be pretty fun, just in general, and seeing people's faces.
[01:47:48.630 --> 01:47:51.190]  Yeah, I'll definitely have to check it out,
[01:47:52.810 --> 01:47:57.910]  because I do go to a lot of conferences normally, in a normal world.
[01:47:57.910 --> 01:48:00.870]  In fact, so the last two years...
